Plaintext Password Problem for Some GitHub Users

Protecting passwords is a critical yet challenging part of cybersecurity. Yesterday, it became an issue for code repository site GitHub, which had to announce to a small number of its users that a flaw in its system had revealed passwords in plaintext on internal logs.

Users received an email message, which many recipients have posted on Twitter, alerting them to the issue and advising them to reset their passwords. "During the course of a regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users' passwords to our internal logging system, including yours," the email said.

Though the number of passwords exposed has been quantified as small or select, the exact number of passwords that were visible through internal logs remains unknown. In addition, the logs were reportedly only visible to GitHub employees. “They were not accessible to the majority of GitHub staff and we have determined that it is very unlikely that any GitHub staff accessed these logs,” GitHub wrote.

Despite the glitch with this bug, GitHub does take steps to ensure that passwords are not stored in plaintext format. “We use modern cryptographic methods to ensure passwords are stored securely in production,” the email said.

Bleeping Computers reported that users initially believed that the email was part of a massive phishing campaign, but it's worth noting that the code repository site has not been hacked or compromised and that the issue has been corrected, according to GitHub.

Despite the growing number of global cyber-threats, people don’t practice good cyber-hygiene when it comes to passwords. While accidentally exposing or even storing passwords in plaintext is one way for user credentials to be compromised, password reuse and failing to frequently change passwords is equally problematic.

“We know that our passwords have been exposed through either the LinkedIn hack, or the eBay hack and if we're one of those individuals that has used the same password on more than one website, even if that password happened to be pretty complex and it got breached, there are automated bots out there doing credential stuffing attacks, account takeover attacks, that are using our previous username and password,” Bart McDonough, CEO and founder of Agio told TechRepublic.